Ow Facebook Part 2: Facebug Logic Flaws

4:47 AM

This series is a bug class of Facebook that got declined for
being unexplainable, unexploitable or having 0 probability of exploitation. I decided
to share those for fun because it seems I got like 2-3 hours of spare time. Check
out my recent post before this for part one.

This bug isn’t going to be fixed anytime soon because of
being/having no risk at all other than for fun. Using the first bug, this one,
you can create events with years that are fat or nonexistent.

Events are only allowed to be created from 2012-2024, but
you can create even for years like 30000, 31337, 1337, very deep in the future
or in the past. :)

It’s not a big secret; it’s just a very common logic flaw. The
program expects integer values and does not sanitize the given year is from
2012-2024 because in the database, only those years exist to be chosen from. But
while tampering data, it is possible to change the value that is being sent to
the server to store.

Here are the reproduction steps, first using https://m.facebook.com/events/create/basic
create a normal event, then go to edit, chose the event and start tamper data,
then change the year to anything... (Note:
it have to be edited, the edit page contain the flaw. The first one is well sanitized)

Then enjoy sending your friends event invites with years
like -25418 or 1337 or 31337… negative values are the fun part. -2012 will
become -0012. How awesome is that?

Your homies be like “You have created an event back in -0012?
:O” Haha. Awesome.

Same thing happened in Facebook birthday, the limitation is
1996 to change from but anyone who is aware of this bug can change his/her
birth date to recent years like 2000 using m.facebook.com. This violates
Facebook’s rule and make you a minor and decrease your birth day, which is fun.
No risk.

The same logic issues often occur in money related tasks. That’s
a very sad thing considering you can steal money. Recently, while pentesting a
website that contains a script to transfer money to one account to another I was
actually able to steal money (would have stolen), this happened.

Obviously, while transferring money it decreases money you
sent from your account and add it to the

receivers account. It’s like -amount from
you and +amount to the other dude.

Now imagine, the script does is “Your total amount - amount
= remaining amount” imagine if we tamper the request and give it a negative
amount, meaning, the formula becomes,

“Your total amount - ( -amount) = remaining amount”

Which is equivalent to “Your total amount + amount =
remaining account” which means you are instead adding infinite money to your
account.

Also most websites on their checkout page contain a hidden
parameter holding the amount, tampering that to 0.01 is valid considering the
script expects if the payment is complete using the payment token, whatever
amount you are supposed to pay, you paid 0.01 which still makes the script true
and execute the next step. Enjoy!

You Might Also Like

0
comments

About Paulos

I am currently specializing in application security and client side offensive exploit research. I really enjoy breaking things. I occasionally do bug bounties, with notable references such as Coinbase, Facebook,Twitter& more.